1 Reply Latest reply on Jan 1, 2008 9:25 PM by shane.bryzak

Seam EJB3 authorization

desanocra Dec 30, 2007 7:22 PM

i have a application with java webstart frontend which uses security restriction with @RolesAlowed annotation. Now i want to add a seam frontend. My Problem is that i can login but cant call any restricted EJB methods.

The Application stores the user passwords encrypted. This is the reason why the Java-Swing-Webstart Frontend store uses this piece of code to login:

 public LoginContext createLoginContext(final String inUsername, char[] inPassword, Subject inSubject) {
 try {
 mIsAdmin = false;
 mUsername=inUsername;
 mPassword= new char[inPassword.length];
 System.arraycopy(inPassword, 0, mPassword, 0, inPassword.length);
 mLoginContext = new LoginContext("myrealm", inSubject, new CallbackHandler(){

 public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
 for(int i = 0; i < callbacks.length; i++) {
 if (callbacks instanceof NameCallback) {
 NameCallback nameCallback = (NameCallback)callbacks;
 nameCallback.setName(inUsername);
 } else if (callbacks instanceof PasswordCallback) {
 PasswordCallback pwCallback = (PasswordCallback)callbacks;
 String aEncPwd = SecurityUtils.getCryptedPwd(mUsername, mPassword);
 for(int j=0; j < mPassword.length; j++) {
 mPassword[j] = ' ';
 }
 pwCallback.setPassword(aEncPwd.toCharArray());
 } else throw new UnsupportedCallbackException(callbacks);
 }
 }
 }
 );
 } catch (LoginException e) {
 getLogger().log(LogLevel.ERROR, CommonResources.getMsg("auth.LoginModule.login.context.creation.failed"), e);
 return null;
 }
 return mLoginContext;
 }

 public User getUser(final String inUsername) {
 try {
 String aAuthCtrlRemote = CommonResources.getBeanJndiNames().getString("controller.authentication");
 getLogger().log(LogLevel.DEBUG, "Using AuthenticationController Bean: {0}", aAuthCtrlRemote);
 AuthenticationController aBean = (AuthenticationController) CommonFactory.getInitialContext().lookup(aAuthCtrlRemote);
 if(inUsername != null) {
 try {
 User aUser = aBean.qryUser(inUsername);
 return aUser;
 }catch(javax.ejb.EJBAccessException e) {
 getLogger().log(LogLevel.ERROR, "Error: {0}", e);
 }
 }
 } catch (Exception e) {
 getLogger().log(LogLevel.ERROR, "Error: {0}", e);
 }
 return null;
 }

 public boolean login(final String inUsername, char[] inPassword) {
 if(mLoginContext != null) {
 logout();
 }
 LoginContext aLoginContext = createLoginContext(inUsername, inPassword, new Subject());

 // Durchführung des Logins
 try {
 if(aLoginContext != null) {
 aLoginContext.login();
 }
 } catch (LoginException e) {
 getLogger().log(LogLevel.DEBUG, CommonResources.getMsg("view.LoginView.auth.failed"), e);
 return false;

 }

 try {
 String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession");
 getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl);
 ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl);
 //TODO locale session
 bean.startLocaleSession("a");

 User aUser = getUser(mUsername);
 if(aUser != null) {
 mIsAdmin = aUser.getRole().isAdmin();
 } else {
 mIsAdmin = false;
 }

 } catch (RuntimeException e) {
 getLogger().log(LogLevel.ERROR, "{0}", e);
 return false;
 } catch (NamingException e) {
 getLogger().log(LogLevel.ERROR, "{0}", e);
 return false;
 }

 fireEvent(true);
 return true;
 }

After execution the Java-Swing-Webstart client can call any restircted EJB method for the role of the logged-in user. For Example

 String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession");
 getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl);
 ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl);
 bean.startLocaleSession("a");

I use the same mechanism for seam. I wrote an Authenticator.

@Stateful
@Name("authenticator")
@Local( { SeamAuthenticator.class })
public class SeamAuthenticatorImpl implements SeamAuthenticator {

 public SeamAuthenticatorImpl() {

 }

 @SuppressWarnings("unchecked")
 @PermitAll
 public boolean login() {
 Identity aIdentity = Identity.instance();
 String aUsername = aIdentity.getUsername();
 String aPassword = aIdentity.getPassword();
 Identity.setSecurityEnabled(true);
 if (aPassword == null) {
 aPassword = "admin";
 aIdentity.setPassword(aPassword);
 }
 mCtrl = ClientFactory.getClientLoginCtrl();
 LoginContext aLoginContext = mCtrl.createLoginContext(aUsername, aPassword.toCharArray(), aIdentity.getSubject());
 if(aLoginContext != null) {
 try {
 aIdentity.authenticate(aLoginContext);
 try{
 String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession");
 getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl);
 ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl);
 bean.startLocaleSession("a");
 }
 }catch(NamingException e) {
 getLogger().log(LogLevel.ERROR, "{0}", e);
 e.printStackTrace();
 }
 return aIdentity.isLoggedIn();
 } catch (LoginException e) {
 getLogger().log(LogLevel.ERROR, "{0}", e);
 e.printStackTrace();
 return false;
 }
 }
 return false;
 }

 @Destroy @Remove
 public void destroy() {}

 /*
 * with the @Out annotation this bean can change the value of the <code>user</code>
 * context variable and make the new instance available to other session
 * beans and JSF pages
 */
 @SuppressWarnings("unused")
 @Out(required = false, scope = SESSION)
 private User user;

 private ClientLoginController mCtrl;

 static Logger getLogger() {
 return CommonFactory.getLogManager().getLogger(
 SeamAuthenticatorImpl.class.getName());
 }
}

The authentication works , Identity.isLoggedIn() == true, but the call bean.startLocaleSession("a"); fails. with

23:42:40,468 ERROR [ClientLoginCtrlImpl] Error: javax.ejb.EJBAccessException: Authorization failure|utab
javax.ejb.EJBAccessException: Authorization failure
 at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:120)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:240)
 at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:210)
 at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:84)
 at $Proxy343.qryUser(Unknown Source)
 at impl.x.x.common.client.ctrl.ClientLoginCtrlImpl.getUser(ClientLoginCtrlImpl.java:89)
 at impl.x.x.server.ctrl.SeamAuthenticatorImpl.login(SeamAuthenticatorImpl.java:67)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112)
 at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166)
 at org.jboss.seam.intercept.EJBInvocationContext.proceed(EJBInvocationContext.java:44)
 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
 at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:46)
 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
 at org.jboss.seam.persistence.ManagedEntityIdentityInterceptor.aroundInvoke(ManagedEntityIdentityInterceptor.java:48)
 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
 at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:31)
 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
 at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:42)
 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
 at org.jboss.seam.persistence.EntityManagerProxyInterceptor.aroundInvoke(EntityManagerProxyInterceptor.java:26)
 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
 at org.jboss.seam.persistence.HibernateSessionProxyInterceptor.aroundInvoke(HibernateSessionProxyInterceptor.java:27)
 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
 at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
 at org.jboss.seam.intercept.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:50)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118)
 at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.entity.ExtendedPersistenceContextPropagationInterceptor.invoke(ExtendedPersistenceContextPropagationInterceptor
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.aspects.tx.TxPolicy.invokeInCallerTx(TxPolicy.java:126)
 at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:195)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:95)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.stateful.StatefulInstanceInterceptor.invoke(StatefulInstanceInterceptor.java:83)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.stateful.StatefulContainer.localInvoke(StatefulContainer.java:206)
 at org.jboss.ejb3.stateful.StatefulLocalProxy.invoke(StatefulLocalProxy.java:119)
 at $Proxy322.login(Unknown Source)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.seam.util.Reflections.invoke(Reflections.java:21)
 at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31)
 at org.jboss.seam.intercept.ClientSideInterceptor$1.proceed(ClientSideInterceptor.java:76)
 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
 at org.jboss.seam.ejb.RemoveInterceptor.aroundInvoke(RemoveInterceptor.java:41)
 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
 at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
 at org.jboss.seam.intercept.ClientSideInterceptor.invoke(ClientSideInterceptor.java:54)
 at org.javassist.tmp.java.lang.Object_$$_javassist_2.login(Object_$$_javassist_2.java)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329)
 at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)
 at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
 at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
 at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
 at org.jboss.seam.core.Expressions$2.invoke(Expressions.java:174)
 at org.jboss.seam.security.jaas.SeamLoginModule.login(SeamLoginModule.java:108)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
 at org.jboss.seam.security.Identity.authenticate(Identity.java:259)
 at org.jboss.seam.security.Identity.authenticate(Identity.java:248)
 at org.jboss.seam.security.Identity.login(Identity.java:205)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329)
 at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)
 at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
 at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
 at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
 at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
 at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:77)
 at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:91)
 at javax.faces.component.UICommand.broadcast(UICommand.java:383)
 at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
 at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
 at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
 at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:97)
 at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
 at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:117)
 at javax.faces.webapp.FacesServlet.service(FacesServlet.java:244)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
 at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:68)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:85)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
 at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
 at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:60)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
 at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
 at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
 at java.lang.Thread.run(Thread.java:595)

Whats wrong ? Why i cant call a restricted EJB method ?

1. Re: Seam EJB3 authorization

shane.bryzak Jan 1, 2008 9:25 PM (in response to desanocra)

Seam Security is currently not integrated with container security, so at this time you need to choose either one or the other.
Actions